Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

ASA private vlan in DMZ NAT issue

Hello

I've recently upgraded a 5550 Active/Standby ASA pair from 8.2 to 8.4 and then to 9.1.3

With 8.2, static NATs/ACLs were used to control traffic through the firewall but with with 8.4 onwards, only ACLs were used (static NATs were deleted)

This worked fine for all traffic except for the DMZ:

  • DMZ uses private vlans
  • From Inside interface I can access hosts on the secondary private vlan interfaces using ACLs
  • From Inside interface I can't access hosts on the primary private vlan interfaces using ACLs only - I have to create a static NAT (inside,DMZ) also.

Can anyone tell me why I have to create static NATs to access primary private vlan hosts but not with secondary ones? See attached for ASA/DMZ config excerpt.

Thanks
Andy

Everyone's tags (1)
3 REPLIES

Hi Andrew, Can you post the

Hi Andrew,

 

Can you post the packet-tracer output for the working one and the not working one?

 

Regards

Karthik

Thanks for the reply Karthik

Thanks for the reply Karthik.

When I attempt to connect to a DMZ private vlan primary IP address from a client on the Inside When I have no static NAT in place, packet tracer shows that the traffic is permitted (the NAT output is below - the Access list output references the ACL ACE permitting the traffic)

Type -
NAT
Subtype -
per-session
Action -
ALLOW

When I attempt to connect to a DMZ private vlan primary IP address from a client on the Inside when I do have a static NAT in place, packet tracer shows that the traffic is permitted (the NAT output is below - <INSIDE_HOST> is the IP address of the Inside host I'm using) - the Access list output references the ACL ACE permitting the traffic)

Type -
NAT
Action -
ALLOW
Show rule in NAT Rules table.
Config
object network <INSIDE_HOST> nat (inside,DMZ) static <INSIDE_HOST>
Info
Static translate <INSIDE_HOST>/22 to <INSIDE_HOST>/22

Type -
NAT
Subtype -
per-session
Action -
ALLOW

So packet tracer shows that in both instances the traffic is permitted.

Thanks
Andy

 

Hello. Got this working ok

Hello. Got this working ok.

Set up 2 ASAs to troubleshoot this.Just to recap:

  • DMZ switch private-vlan primary SVIs used for management
  • ACL on Inside interface was permitting traffic to the SVIs in the DMZ.
  • Packet tracer showed traffic as allowed but I was getting no repsonse from the DMZ SVIs
  • The only way I could facilitate Inside-DMZ SVI traffic was to create static NATs (inside,DMZ)


The solution was embarasingly simple -  the DMZ switches were not configured with a default gateway. Once the DMZ switches had a default-gateway, inside-DMZ SVI traffic  worked without the need for static NATs.

When the DMZ switches didn't have a default-gateway and I had static NATs in place, am I right in saying that the ASA was using proxy arp to facilitate the inside-DMZ svi traffic?

Thanks
Andy

183
Views
0
Helpful
3
Replies
CreatePlease to create content